Site icon Segurança Informática

URSA trojan is back with a new dance

The Latin American URSA trojan returns in 2022 with a new dance.

Overview

Since August 2022, a new campaign associated with the URSA trojan has been spread at a large scale and extended to Portugal. The authors behind the threat have released a new version and how the malware is loaded. This is, in fact, the major update 2 years after the initial publication here « Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader ».

Trojan URSA – also known as mispadu malware by ESET – has impacted Internet end-users from different countries, including BoliviaChileMexicoArgentinaEcuadorPeruColombiaParaguayCosta RicaBrazilSpainHonduras, and Portugal.

This trojan collects passwords from web browsers and popular software such as FTP and email services. Also, it performs the banking browser overlay technique to lure the victims into introducing the banking credentials while the flow is executed – step-by-step – in the background by criminals. In addition, authentication credentials from cryptocurrency sites are also targeted, and criminals attempt to move money to specific wallets they have control over.

During this investigation, control of the URSA C2 server was also achieved, and details from 16.242 victims from different geolocations (including Portugal) were observed. This C2 server has been used to keep details from several campaigns that occurred during July – October 2021, and on the ongoing campaign July- September 2022 also extended to Portugal.

 

GeoMap of URSA Infections: Jul-Oct. 2021 and Jul-Sep. 2022 


Figure 1: GeoMap of URSA Infections that occurred between July and October 2021 and July- September 2022 collected from a C2 server.
 

Table 1: Number of infections grouped by country.

Number of InfectionsCountry
11910Mexico
4103Spain
103USA
88Chile
24Portugal
8Brazil
4Argentina
2Honduras

 

Mexico is clearly the country with more users affected 11.910 from the total of 16.242 observed. Spain is the second country with 4.103, followed by the USA (103), Chile (88), and Portugal (24).

According to the details obtained from the C2 server, the campaigns occurred during the Summer season, both in 2021 as well as in 2022. In detail, the authors behind the schema, divide the campaigns by tags and names, namely:

 

A print screen from the accessed C2 server is presented below with the skeleton mentioned above.

Figure 2: Screenshot from the C2 server with the different campaigns spread in 2021.

 

The folder campaigns keep the victims’ secrets (Web-Browser and software passwords) encrypted. These details are collected in runtime via legitimate software and sent to the C2 server using the following file format:  ID-LANGUAGE_COMPUTERNAME_RND-PREFIX_ID.txt 

Figure 3: Part of users’ secrets found on the C2 server as an example.

 

 

Key findings

 

 

The new dance of URSA trojan

: in-depth analysis


In this section, we are going through the details of the URSA trojan, analyzing step-by-step this banking trojan, how it operates, and what kind of data is exfiltrated. It should be noted that some details may be obviously cited from the first publication published on the blog in 2020, not making, thus, an overlap of information already scrutinized.

 

Email is the «vehicle» to disseminate the threat

URSA trojan operators utilize spear-phishing campaigns to distribute the threat around the world. The modus operandi observed in recent years is similar to other Latin American trojans. In short, well-designed templates that impersonate popular brands are linked to bait invoices opening the door to potential infections.

In the first instance,  the first waves of this campaign in Portugal indicated some inconsistency because in one of the phishing emails the recipients (targets) were placed in the “TO” email field.  This detail can obviously defeat the malicious intent of deceiving a victim, in addition to the grammatical typos found.

The email message often refers to overdue invoices “Fatura Consumo de Eletricidade” – the decoy – in order to lure the victim into downloading the malicious file (a .HTML file attached to the email). These emails are sent between the end and the beginning of each month. As observed in this sample and others collected during this analysis, the sender’s email address is under the .MX TLD. This detail can explain the high number of infections in Mexico as reported in Table 1 above.

Figure 4: Email template of URSA impersonating GALP Energia and AT in Portugal (September 2022).

 

After opening the HTML file (FATURA_208538.PDF.HTML : b9187767d2fa4cb358f850a5f48a152b), a message related to Adobe Reader is presented in the Portuguese language. Basically, an error during the process occurred, and the user needs to “download” something additional to visualize the invoice (a trap).

Figure 5: HTML content presented when the victim opens the email attachment.

 

As can be seen, the button “Documento de descarregação” is a bad translation of “Descarregar documento” in the Portuguese language. This HTML element has associated an “onClick()” event that will download the next malware stage (RAR file).

Figure 6: JavaScript code responsible for downloading the next malware stage (a RAR file).

 

Figure 7 shows the source code deobfuscated. In short, a hardcoded HEX string is converted and “%%” chars are replaced. The deobfuscation process can be done by using a CyberChef recipe.

Figure 7: Deobfuscation of the JavaScript code via CyberChef recipe.

 

Although some parts of the infection chain remain from the URSA analysis in 2020, criminals have made the scheme more complex and sophisticated, with the addition of different layers precisely to bypass antiviruses and EDR systems. This is the new dance of URSA trojan in 2022.

The high-level diagram of the URSA trojan 2022 release is illustrated in Figure 8 below.

Figure 8: Ursa trojan / Mispadu 2022 – high-level diagram (September 2022).

 

This diagram simplifies the entire process in short steps. As observed, the usage of LOL BINS such as Certutil, WMIC, and WScript is a known TTP of different Latin American trojans, including Grandoreiro, Lampion, Javali, etc. The same consideration for AutoIT loaders and DLL side loading; which is a common modus operandi of these kinds of threats.

The most interesting details are scrutinized below.

 

RAR file with easter egg


Filename: FATURA_GALP_899318.rar
MD5: a5c87471e8d438cd40b137b2c0aa276e
SHA1: f11300a44987991bbe620246b5ec31e10835bc21


After clicking on the HTML button, a RAR file is downloaded as presented in Figure 7. A random file name is dynamically generated for each execution, but its content is obviously the same. As illustrated, the initial URL redirects to a new one that will perform the download of the RAR file into the victim machine.

Figure 9: Downloading of the RAR file after clicking on the malicious button on the HTML page.

 

Inside the RAR file exists a .bat file – the easter egg – with the following content:

 

Figure 10: .bat file inside the RAR file with 2 additional files embedded and extracted via Certutil Windows utility.

 

Digging into the details, the bat file takes advantage of the Certutil LOL BIN to extract the AutoIT loader from the first certificate, and the AutoIT injector (a3x) from the second one. Next, the WMI utility is then utilized to execute the AutoIT loader with the target source file (a3x).

Figure 11: Certutil is used to extract hardcoded binaries and execute them via the WMI Windows utility.

 

AutoIT loader to download the next stage (VBScript)


Filename: TTTTT%RRRRR%_.exe
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA1: 2a4062e10a5de813f5688221dbeb3f3ff33eb417

Filename: FATURA www.galp.pt.a3x
MD5: 7149bc706a85e225b419f50dbc1ef033
SHA1: d80ad22c0e365cf68162fd1f81ee23ad6bf24827


By analyzing the file signature of the AutoIT loader (TTTTT%RRRRR%_.exe), we can easily identify this file is legitimate, signed by AutoIT, Consulting Ltd, and used massively in malicious campaigns by threat authors in the last few years. The AutoIT loader was also utilized in the past campaigns of URSA in 2020 as exhibited below.

Figure 12: AutoIT loader signed by AutoIT Ltd; a legitimate loader used in the wild by crooks to execute malicious code (VT and URSA analysis 2020 URLs).

 

When execute in memory, the AutoIT loader downloads from hardcoded URLs the next stage; a VbScript file that will download additional payloads. The VBScript file is then executed via CMD.EXE (line 3767). Below is presented the plain source code. This scenario is highlighted in step 7 from Figure 8 (high-level diagram).

Figure 13: AutoIT code responsible for downloading the next malware stage (VbScript file).

 

VBScript file to download additional «VBScript» and execute it inline 

As observed below, the AutoIT binary communicates with the target URLs to download the VBScript file. The file is then created into the “%AppData%\Local\Temp” folder and executed.

Interesting to notice the first submissions and data correlation with these domains from VirusTotal, probably indicating this wave has been started in July 2022 as already mentioned at the beginning of this article.

Figure 14: VBScript file downloaded and created on the target dir.

 


Filename: df6uiv.vbs
MD5: f32960c4e67e604a985bcfae9308af8a
SHA1: eb66b566add45d943ce2c810d5ef0c43c3f2f436


After opening the target file, it seems obfuscated.

Figure 15: VBScript file obfuscated after the downloading process.

 

A few rounds of deobfuscation can fix it! As can be seen,  the obfuscation functions perform substitution and replacement of chars until achieving the final payload. The target path is “/g2″, where another VBScript payload is downloaded and executed inline. The VBScript file is a form of an XML component executed by CreateObject(“Wscript.Shell”).Exec(%payload%) windows call.

Figure 16: VBScript code deobfuscated and next VBScript file downloaded and executed inline.

 

As noticed below, the next VBScript file seems totally obfuscated, and we need to deobfuscate it to understand its capabilities.

Figure 17: Aditional VBScript file downloaded and executed inline via CreateObject(“Wscript.Shell”).Exec() component.

 

VBScript used to download and execute the URSA final stage


Filename: g2 / XML
MD5: d3f3e27cd085d1a7ec7b8059e775ba89
SHA1: 469f83cdbb8634dcfa6913b39be673545e8c947a


The URSA dance continues. The VBScript file is then used to download additional payloads, namely:

 

The file has hardcoded and encrypted a lookup table that will populate some pieces of code during its execution. By decrypting the entries, we can get their plain-text value.

Figure 18: Lookup table present on the VBScript file after decrypting it.

 

In addition, a C2 configuration is also hardcoded and encrypted. It contains C2 servers to communicate during the infection process. However, we noticed that this is a kind of configuration is also presented on the first analysis of URSA in 2020 and available here.  In fact, this VBScript is an obfuscated and updated version of the file analyzed in 2020 and presented in Figure 9 here. 

Figure 19: C2 configuration hardcoded on the VBScript file.

 

In detail, this script checks if is running inside a virtual environment, and terminates its execution. Also, the system language is verified, according to the hardcoded codes detailed below. Spanish (Latin American) and Portuguese systems are the focus of criminals’ operations.

Figure 20: Snippet of code responsible for checking if the script is running inside a VM and if the system language feets the crook’s intents.

 

At the first glance, if the computer name is equal to “ JOHN-PC “, it terminates the infection chain. Some details are also obtained from the C2 server, including the configuration used during the downloading of the additional files (the final malware stage). These details (line 466) are then used as a prefix name to create target folders and files on the victim’s machine.

Figure 21: Additional details about the VBScript before downloading the final stage.

 

Next, three additional files are downloaded:

  1. Delphi encrypted DLL (URSA trojan itself)
  2. AutoIT injector source (with hardcoded binary inside – C++ loader); and
  3. AutoIT loader

 

A better perspective of these files can be seen below.

Figure 22: URSA trojan 2020 last stage.

 

1. URSA DLL download


Filename: C:/t35/v221.22v
Size: 4956673(4.73 MB)
MD5: 8069e5d8e22b51f3360cca1582c1f3b7
SHA1: 3ee3915219ddc8fcd1d289c58f9eebfdcf4ae86c
Entropy: 7.47087(packed)


The URSA DLL is downloaded from the C2 server, encrypted, and with a random extension ( https]://m4gx01.hopto.org/lp1am1].dfhyhgf ).

After that, it is renamed to a ZIP file:  c:\t35\v22m1.zip Next, the file is unzipped and renamed to:  v221.22v . Notice that, “t35” path and “v22” prefix are both obtained from the C2 server and highlighted in Figure 21 above. These values are random and change between different infections.

Figure 23: Snippet of code responsible for downloading the encrypted URSA trojan DLL.

 

2. AutoIT source with hardcoded EXE (C++ loader)


Filename: C:/t35/v22
Size: 171726(167.70 kB)
MD5: 782f9bed19336830a6bacdc6c0cf07ec
SHA1: a099df7fad853afd1fb1eb29c18800a1fb498182
Entropy: 7.99899(packed)


Looking at the VBScript file, the AutoIT source code with a C++ loader hardcoded is then downloaded from the C2 server –  https:]//m4gx01.hopto.org/v/lp163.]dfhyhgf  and stored to:  c:\t35\v224.dfhyhgf . The file is renamed to:  c:\t35\v224.zip , and the AutoIT source is extracted and renamed:  c:\t35\v22 .

Figure 24: Snippet of code responsible for downloading the AutoIT source. This file contains a C++ loader inside that will decrypt and execute in memory the URSA DLL.

 

3. AutoIT loader


Filename: C:/t35/v22ai.exe
Size: 893608(872.66 kB)
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA1: 2a4062e10a5de813f5688221dbeb3f3ff33eb417
Entropy: 6.62013(packed)


As observed, a legitimate AutoIT loader is then used to load the AutoIT injector source. The file is downloaded from:  https:/]/m4gx01.hopto.]org/lp1aa3.]dfhyhgf  to  c:\t35\v22a3.dfhyhgf . The file is then renamed to  c:\t35\v22a3.zip , unzipped, and again renamed to:  c:\t35\v22ai.exe .

Finally, this AutoIT loader (c:\t35\v22ai.exe), will execute and load the AutoIT source (C:/t35/v22), which will decrypt and load into the memory the URSA trojan DLL: C:/t35/v221.22v.

Figure 25: Snippet of code responsible for downloading the AutoIT loader.

 

 

URSA trojan last stage

:C++ loader hardcoded inside the AutoIT code

At this point of infection, three files are ready to be executed:

Note: Notice that we added different file names above. These files were obtained in another virtual machine execution we used during this analysis.  to7ai.exe ,  to7 , and  to71.7ot  are the files we will use from this point until the end of the article.

 

Take a look at the AutoIT source code after obtaining it in a readable form, we can see that a binary file is hardcoded and it will be loaded into the memory by using the DLL injection technique.

Figure 26: DLL injection technique used to load C++ EXE into the memory.

 

Interesting to notice that part of the source code can be found on the https://www.autoitscript.com Forum in a publication from 2009.

Figure 27: Part of the DLL injection source code found on the AutoIt script web forum.

 

After dumping the c++ loader from memory, it’s possible to understand its purpose.


Filename: hardcoded_loader.dll
Size: 147456(144.00 kB)
MD5: 75aa0635014fddb64536da38c21ee93a
SHA1: 89d448c72d49717e9eb78d639c2d17c479821c38


This binary has hardcoded the path of the URSA DLL to load « to71.7ot », decrypt « sub_10001C30() », and inject it « sub_100001880() » into the memory.

Figure 28: Additional files download during the malware execution (next described), and a snippet of code responsible for decrypting and injection of the URSA DLL.

 

In detail, the left-side below « sub_10001C30() » presents the block of code responsible for decrypting the DLL file, and in the right-side « sub_100001880() » the DLL injection technique.

Figure 29: Decryption and DLL injection calls in detail.

 

Dump URSA DLL from memory 


File name: ursa.dll
Size: 3563520(3.40 MB)
MD5: 0cd43c6759d0f5285cb69fff22e2ed5b
SHA1: 17f160deffd502968ce9c2eb2754cbeddacb74d5


After being injected into memory, it can be dumped in this case at the offset: 0x40c6000. As observed, some junk needs to be removed.

Figure 30: URSA DLL dumped from memory.

 

After aligning the dumped file and removing some junk bytes, we are able to understand its TTP. As can be seen, the binary is not packed, it’s a Delphi DLL and we can reverse it easily.

Figure 31: URSA trojan DLL not packed and obtained from memory.

 

URSA trojan capabilities

The last stage is a Delphi DLL binary responsible for executing browser overlay to control and steal the victim’s secrets while they are accessing their home banking and cryptocoin portals. The activity and code similarities observed are much close to other analyzed and popular trojans operating in Portugal and Latin America, such as Grandoreiro and Lampion. According to an ESET analysis, the final payload is Mispadu, an ambitious Latin American banking trojan that extends its attack surface to web browsers.

The Delphi binary has also two legitimate tools inside. These tools are used to collect credentials stored on the victim’s device.

Figure 32: Binary files available inside the Delphi binary.

 

These tools are executed when the final stage starts, and the data is stored between the tags “===F1===” and “===F2===” highlighted below.

Figure 33: Blocks of code where the credential stealer modules are executed.

 

In detail, these tools are legitimate and provided by NirSoft. The first one – WebBrowserPassView is launched in memory and used to exfiltrate credentials from popular web browsers. On the other side, Mail PassView is used to collect data from several locations.

Figure 34: Tools embedded inside the trojan file and used to collect data from the infected device.

 

During the analysis, we noticed that two additional DLLs are also downloaded by URSA:

 

According to the Embarcaredo Wiki, these DLLs are required to perform communication over HTTPS and must be in place.

 

At the end of the harvesting process, the data is sent over HTTPS to the C2 server.

Figure 35: Victim’s credentials collected and sent to the C2 server.

 

The trojan is simultaneously listening and monitoring which windows and websites are accessed by the victim (it gets the focus windows on the web browser). When a target banking portal is accessed, an overlay window is created on the legitimate web browser window depending on the accessed banking portal.

In short, the next figure shows some target brands “operated” by URSA trojan criminals. The complete list is presented below.

Figure 36: Target brands found during the URSA trojan analysis.

.text:00717770	00000010	C (16 bits)	BBVA_MX
.text:0071778C	00000014	C (16 bits)	AZTECA_MX
.text:007177AC	00000016	C (16 bits)	BANAMEX_MX
.text:007177D0	00000016	C (16 bits)	BANORTE_MX
.text:007177F4	0000001A	C (16 bits)	SANTANDER_ES
.text:0071781C	0000001A	C (16 bits)	CAIXABANK_ES
.text:00717844	00000010	C (16 bits)	HSBC_MX
.text:00717860	00000014	C (16 bits)	SCOTIA_MX
.text:00717880	00000012	C (16 bits)	GERAL_ES
.text:007178A0	0000001A	C (16 bits)	SANTANDER_PT
.text:007178C8	00000014	C (16 bits)	BANKIA_ES
.text:007178E8	00000018	C (16 bits)	SABADELL_ES
.text:0071790C	0000001A	C (16 bits)	BANKINTER_ES
.text:00717934	00000018	C (16 bits)	IBERCAJA_ES
.text:00717958	0000001A	C (16 bits)	LIBERBANK_ES
.text:00717980	00000014	C (16 bits)	ABANCA_ES
.text:007179A0	0000001C	C (16 bits)	KUTXABANCA_ES
.text:007179C8	00000016	C (16 bits)	UNICAJA_ES
.text:007179EC	00000018	C (16 bits)	BANREGIO_ES
.text:00717A10	00000016	C (16 bits)	INBURSA_ES
.text:00717A34	00000014	C (16 bits)	AFIRME_ES
.text:00717A54	00000012	C (16 bits)	BITSO_ES
.text:00717A74	0000001C	C (16 bits)	BLOCKCHAIN_ES
.text:00717A9C	0000000E	C (16 bits)	BTC_ES
.text:00717AB8	00000014	C (16 bits)	PAYPAL_ES
.text:00717AD8	00000012	C (16 bits)	GERAL_PT
.text:00717AF8	0000000E	C (16 bits)	BPI_PT
.text:00717B14	0000001A	C (16 bits)	NOVOBANCO_PT
.text:00717B3C	0000000E	C (16 bits)	BCP_PT
.text:00717B58	0000000E	C (16 bits)	CGD_PT
.text:00717B74	00000014	C (16 bits)	ACTIVO_PT
.text:00717B94	00000018	C (16 bits)	MONTEPIO_PT
.text:00717BB8	0000001C	C (16 bits)	CREDITOAGR_PT
.text:00717BE0	0000000E	C (16 bits)	BTC_PT
.text:00717BFC	00000014	C (16 bits)	PAYPAL_PT
.text:00717C1C	00000010	C (16 bits)	BBVA_PT
.text:00717C38	00000012	C (16 bits)	WINUP_PT
.text:00717C58	00000016	C (16 bits)	EUROBIC_PT
.text:00717C7C	00000012	C (16 bits)	GERAL_IT
.text:00717C9C	0000000E	C (16 bits)	BPM_IT
.text:00717CB8	00000010	C (16 bits)	BPER_IT
.text:00717CD4	00000016	C (16 bits)	UNICRED_IT
.text:00717CF8	00000018	C (16 bits)	SAMPAOLO_IT
.text:00717D1C	0000000E	C (16 bits)	BNL_IT
.text:00717D38	00000018	C (16 bits)	BANCAMPS_IT
.text:00717D5C	00000018	C (16 bits)	COLOMBIA_CO
.text:00717D80	00000014	C (16 bits)	BOGOTA_CO
.text:00717DA0	0000001C	C (16 bits)	DAVIVIENDA_CO
.text:00717DC8	0000001A	C (16 bits)	OCCIDENTE_CO
.text:00717DF0	00000010	C (16 bits)	ITAU_CO
.text:00717E0C	00000012	C (16 bits)	GERAL_UK
.text:00717E2C	00000010	C (16 bits)	HSBC_UK
.text:00717E48	00000016	C (16 bits)	BARCLAY_UK
.text:00717E6C	00000014	C (16 bits)	LLOYDS_UK
.text:00717E8C	00000012	C (16 bits)	ROYAL_UK
.text:00717EAC	00000018	C (16 bits)	STANDARD_UK
.text:00717ED0	0000001A	C (16 bits)	SANTANDER_UK

.text:0071C448	00000012	C (16 bits)	portugal
.text:0071C480	0000000C	C (16 bits)	banco
.text:0071C498	0000000E	C (16 bits)	azteca
.text:0071C4B4	0000001A	C (16 bits)	Banco Azteca
.text:0071C4DC	0000001C	C (16 bits)	banconacional
.text:0071C504	00000010	C (16 bits)	agrcola
.text:0071C520	00000026	C (16 bits)	Banco Nacional de M
.text:0071C560	00000010	C (16 bits)	banorte
.text:0071C57C	0000000C	C (16 bits)	banca
.text:0071C5AC	00000010	C (16 bits)	Banorte
.text:0071C5C8	00000014	C (16 bits)	santander
.text:0071C5E8	00000020	C (16 bits)	Banco Santander
.text:0071C614	00000016	C (16 bits)	scotiabank
.text:0071C638	0000000E	C (16 bits)	Scotia
.text:0071C684	00000016	C (16 bits)	blockchain
.text:0071C6A8	00000016	C (16 bits)	BlockChain
.text:0071C6CC	00000012	C (16 bits)	banregio
.text:0071C6EC	00000012	C (16 bits)	Banregio
.text:0071C70C	00000010	C (16 bits)	inbursa
.text:0071C728	00000010	C (16 bits)	Inbursa
.text:0071C744	0000000E	C (16 bits)	afirme
.text:0071C760	0000000E	C (16 bits)	Afirme
.text:0071C77C	0000000C	C (16 bits)	bitso
.text:0071C794	0000000C	C (16 bits)	Bitso
.text:0071C7AC	00000010	C (16 bits)	bitcoin
.text:0071C7C8	00000010	C (16 bits)	binance
.text:0071C7E4	00000012	C (16 bits)	coinbase
.text:0071C804	0000000E	C (16 bits)	kraken
.text:0071C820	0000000E	C (16 bits)	crypto
.text:0071C83C	00000012	C (16 bits)	primebit
.text:0071C85C	00000010	C (16 bits)	Bitcoin
.text:0071C878	0000000E	C (16 bits)	paypal
.text:0071C894	0000000E	C (16 bits)	Paypal
.text:0071C8B0	0000000E	C (16 bits)	bankia
.text:0071C8CC	0000000E	C (16 bits)	bankla
.text:0071C8E8	0000000E	C (16 bits)	Bankia
.text:0071C904	00000012	C (16 bits)	sabadell
.text:0071C924	00000012	C (16 bits)	Sabadell
.text:0071C944	00000014	C (16 bits)	bankinter
.text:0071C964	00000014	C (16 bits)	Bankinter
.text:0071C984	00000012	C (16 bits)	ibercaja
.text:0071C9A4	00000012	C (16 bits)	Ibercaja
.text:0071C9C4	00000014	C (16 bits)	liberbank
.text:0071C9E4	00000014	C (16 bits)	Liberbank
.text:0071CA04	0000000E	C (16 bits)	abanca
.text:0071CA20	0000000E	C (16 bits)	ABANCA
.text:0071CA3C	00000014	C (16 bits)	kutxabank
.text:0071CA5C	00000014	C (16 bits)	Kutxabank
.text:0071CA7C	00000010	C (16 bits)	unicaja
.text:0071CA98	0000001C	C (16 bits)	Unicaja Banco
.text:0071CAC0	00000012	C (16 bits)	bancobpi
.text:0071CAE0	00000014	C (16 bits)	Banco BPI
.text:0071CB00	00000014	C (16 bits)	novobanco
.text:0071CB20	00000016	C (16 bits)	Novo Banco
.text:0071CB44	0000001C	C (16 bits)	millenniumbcp
.text:0071CB6C	0000001E	C (16 bits)	Millennium BCP
.text:0071CB98	0000001A	C (16 bits)	caixadirecta
.text:0071CBC0	0000001C	C (16 bits)	Caixa Directa
.text:0071CBE8	00000016	C (16 bits)	activobank
.text:0071CC0C	00000018	C (16 bits)	Activo Bank
.text:0071CC30	00000012	C (16 bits)	montepio
.text:0071CC50	0000001E	C (16 bits)	Banco Montepio
.text:0071CC7C	0000001C	C (16 bits)	crditoagrcola
.text:0071CCA4	00000014	C (16 bits)	caixabank
.text:0071CCC4	00000014	C (16 bits)	Caixabank
.text:0071CCE4	00000010	C (16 bits)	eurobic
.text:0071CD00	00000010	C (16 bits)	EuroBic
.text:0071CD1C	00000022	C (16 bits)	bancodeoccidente
.text:0071CD4C	00000026	C (16 bits)	Banco de Occidente
.text:0071CDB0	00000018	C (16 bits)	bancolombia
.text:0071CDD4	0000002E	C (16 bits)	sucursalvirtualempresa
.text:0071CE10	00000018	C (16 bits)	BanColombia
.text:0071CE34	0000001A	C (16 bits)	bancodebogot
.text:0071CE5C	0000001C	C (16 bits)	Banco de Bogot
.text:0071CE88	00000016	C (16 bits)	davivienda
.text:0071CEAC	00000016	C (16 bits)	Davivienda
.text:0071CED0	00000010	C (16 bits)	barclay
.text:0071CEEC	00000010	C (16 bits)	Barclay
.text:0071CF08	0000000E	C (16 bits)	lloyds
.text:0071CF3C	0000000E	C (16 bits)	Lloyds
.text:0071CF58	0000000C	C (16 bits)	royal
.text:0071CF70	0000002E	C (16 bits)	Royal Bank of Scotland
.text:0071CFAC	00000012	C (16 bits)	standard
.text:0071CFCC	00000014	C (16 bits)	chartered
.text:0071CFEC	00000026	C (16 bits)	Standard Chartered
.text:0071D020	0000002C	C (16 bits)	bancapopolaredemilano
.text:0071D058	00000012	C (16 bits)	bancobpm
.text:0071D090	00000014	C (16 bits)	unicredit
.text:0071D0B0	00000028	C (16 bits)	bancaintesasanpaolo
.text:0071D0F8	00000012	C (16 bits)	bancamps
.text:0071D118	00000022	C (16 bits)	Internet Banking
.text:0071D148	00000012	C (16 bits)	bajionet
.text:0071D168	0000001C	C (16 bits)	intercambanco
.text:0071D190	00000014	C (16 bits)	asponline
.text:0071D1B0	00000016	C (16 bits)	aspenlinea
.text:0071D1D4	00000016	C (16 bits)	banjercito
.text:0071D1F8	00000016	C (16 bits)	consubanco
.text:0071D21C	00000012	C (16 bits)	actinver
.text:0071D23C	00000012	C (16 bits)	bankaool
.text:0071D25C	00000016	C (16 bits)	bancamifel
.text:0071D280	00000010	C (16 bits)	bancrea
.text:0071D29C	0000000E	C (16 bits)	stpmex

.text:0071E8A4	00000012	C (16 bits)	portugal
.text:0071E8C4	0000000C	C (16 bits)	banco
.text:0071E8DC	0000000E	C (16 bits)	azteca
.text:0071E8F8	0000001C	C (16 bits)	banconacional
.text:0071E920	00000010	C (16 bits)	agrcola
.text:0071E93C	00000010	C (16 bits)	banorte
.text:0071E958	00000014	C (16 bits)	santander
.text:0071E978	00000016	C (16 bits)	scotiabank
.text:0071E9B4	00000012	C (16 bits)	banregio
.text:0071E9D4	00000010	C (16 bits)	inbursa
.text:0071E9F0	0000000E	C (16 bits)	afirme
.text:0071EA0C	0000000E	C (16 bits)	bankia
.text:0071EA28	0000000E	C (16 bits)	bankla
.text:0071EA44	0000000C	C (16 bits)	banca
.text:0071EA5C	00000012	C (16 bits)	sabadell
.text:0071EA7C	00000014	C (16 bits)	bankinter
.text:0071EA9C	00000012	C (16 bits)	ibercaja
.text:0071EABC	00000014	C (16 bits)	liberbank
.text:0071EADC	0000000E	C (16 bits)	abanca
.text:0071EAF8	00000014	C (16 bits)	kutxabank
.text:0071EB18	00000010	C (16 bits)	unicaja
.text:0071EB34	00000012	C (16 bits)	bancobpi
.text:0071EB54	00000014	C (16 bits)	novobanco
.text:0071EB74	0000001C	C (16 bits)	millenniumbcp
.text:0071EB9C	0000001A	C (16 bits)	caixadirecta
.text:0071EBC4	00000016	C (16 bits)	activobank
.text:0071EBE8	00000012	C (16 bits)	montepio
.text:0071EC08	0000001C	C (16 bits)	crditoagrcola
.text:0071EC30	00000014	C (16 bits)	caixabank

 

As noticed below, a Delphi form (Telas) is running in a loop and performs windows overlay launching the right windows (right-side below) according to the target brand string captured from the user interaction.

Figure 37: Details about the windows overlay process – URSA trojan 2022.

 

When the malware detects the victims accessed a target home banking portal, a connection is established to the malware operator (C2 server). Criminals control each step, requesting specific data step-by-step in a back-office portal. Some commands hardcoded inside the malware are presented below.

.text:0071A760	00000026	C (16 bits)	<|ATIV|>Ativado<|>
.text:0071EC50	00000012	C (16 bits)	<|ALRM|>
.text:0071F170	00000018	C (16 bits)	<|Desktop|>
.text:0071F1A4	00000018	C (16 bits)	<|TAMANHO|>
.text:0071F49C	00000012	C (16 bits)	<|gets|>
.text:0071F4BC	00000018	C (16 bits)	<|TAMANHW|>
.text:0071F504	00000018	C (16 bits)	<|TAMANHO|>
.text:0071F528	00000012	C (16 bits)	<|okok|>
.text:0071F5F4	0000001A	C (16 bits)	<|KEYBOARD|>
.text:0071F918	00000018	C (16 bits)	<|JKEYLOG|>
.text:0071F960	0000001C	C (16 bits)	<|TAMANHOKL|>
.text:0071FDB0	00000016	C (16 bits)	<|getsKL|>
.text:0071FDD4	0000001C	C (16 bits)	<|TAMANHOKL|>
.text:0071FE20	00000016	C (16 bits)	<|okokKL|>
.text:0071FE44	00000016	C (16 bits)	<|getsPS|>
.text:0071FE68	0000001C	C (16 bits)	<|TAMANHOPS|>
.text:0071FE90	00000016	C (16 bits)	<|okokPS|>
.text:0071FEB4	00000018	C (16 bits)	<|getsKL2|>
.text:0071FED8	00000018	C (16 bits)	<|okokKL2|>
.text:00720024	0000001A	C (16 bits)	<|DOWNLOAD|>
.text:00720070	0000001C	C (16 bits)	<|DOWNLOAD2|>
.text:00720278	0000000E	C (16 bits)	<|OK|>
.text:007202A4	00000010	C (16 bits)	<|OKt|>
.text:00720AA8	0000001C	C (16 bits)	<|TAMANHOKL|>
.text:007210FC	00000014	C (16 bits)	<|WLOGS|>
.text:00721164	00000012	C (16 bits)	<|STAT|>
.text:00728DD8	00000012	C (16 bits)	<|STAT|>
.text:00728E94	00000022	C (16 bits)	<<|<|ESPERA|><<|
.text:00728EC4	0000001E	C (16 bits)	<|STAT|>colou 
.text:00728FB4	0000003C	C (16 bits)	<|STAT|>Imagem esp enviada<|>
.text:00728FFC	00000032	C (16 bits)	<|STAT|>Print enviado<|>
.text:0072903C	00000038	C (16 bits)	<|STAT|>Dados Reenviados<|>
.text:00729080	0000003E	C (16 bits)	<|STAT|>Reiniciando maquina<|>
.text:007290E8	0000001C	C (16 bits)	<|TAMANHOPS|>
.text:00729110	00000040	C (16 bits)	<|STAT|>Alpha blend alterado<|>
.text:0072915C	0000003A	C (16 bits)	<|STAT|>Conexao encerrada<|>
.text:007291B8	00000032	C (16 bits)	<|STAT|>Maq bloqueada<|>
.text:007291F8	00000038	C (16 bits)	<|STAT|>Conexao resetada<|>
.text:00729250	00000030	C (16 bits)	<|STAT|>Maq liberada<|>
.text:0072928C	0000002C	C (16 bits)	<|ATIV|>Desativado<|>
.text:007292C4	0000003E	C (16 bits)	<|STAT|>Tam buraco alterado<|>
.text:00729310	00000030	C (16 bits)	<|STAT|>KL instalado<|>
.text:0072934C	00000036	C (16 bits)	<|STAT|>KL desinstalado<|>
.text:00729390	00000036	C (16 bits)	<|STAT|>KL desisntalada<|>
.text:007293D4	0000002E	C (16 bits)	<|STAT|>KL alterada<|>
.text:00729410	00000028	C (16 bits)	<|STAT|>Comando KL 
.text:00729444	0000002E	C (16 bits)	<|STAT|>Log Enviado<|>
.text:00729480	00000042	C (16 bits)	<|STAT|>Nenhum log encontrado<|>
.text:007294D0	00000042	C (16 bits)	<|STAT|>Transformacao recorte = 
.text:00729520	00000034	C (16 bits)	<|STAT|>Mouse Alterado = 
.text:00729560	0000003A	C (16 bits)	<|STAT|>Comando MostraBarra 
.text:007295A8	00000038	C (16 bits)	<|STAT|>Comando AtualizaUP 
.text:00729608	0000003A	C (16 bits)	<|STAT|>Comando PostMessage 
.text:00729650	0000003A	C (16 bits)	<|STAT|>Comando SendMessage 
.text:00729698	0000001C	C (16 bits)	<|TAMANHOKL|>
.text:007296D8	0000002E	C (16 bits)	<|STAT|>Log Apagado<|>
.text:00729714	00000038	C (16 bits)	<|STAT|>Comando ShowWindow 
.text:00729768	00000018	C (16 bits)	<|WLOGS|>\r\n
.text:007297A0	00000032	C (16 bits)	<|STAT|>Comando SetFore 
.text:007297E0	00000030	C (16 bits)	<|STAT|>Comando WinExec
.text:0072981C	0000002E	C (16 bits)	<|STAT|>Comando Shell 
.text:00729864	0000002C	C (16 bits)	<|STAT|>Comando Down 
.text:0072989C	0000003C	C (16 bits)	<|STAT|>Download Encerrado<|>
.text:007298FC	0000003E	C (16 bits)	<|STAT|>Comando Block Entrada 
.text:007299A4	00000034	C (16 bits)	<|STAT|>Comando SetaFase 
.text:007299E4	00000028	C (16 bits)	<|STAT|>Manter Conex
.text:00729A48	00000028	C (16 bits)	<|STAT|>Manter Conex
.text:00729AA0	0000003C	C (16 bits)	<|STAT|>Comando Restaurar <|>
.text:00729B18	0000003E	C (16 bits)	<|STAT|>Comando Orientacao <|>
.text:00729B64	00000030	C (16 bits)	<|STAT|>Rolou Mouse <|>
.text:00729BE0	0000002E	C (16 bits)	<|STAT|>Erro criado<|>
.text:00729C1C	00000030	C (16 bits)	<|STAT|>Erro Enviado<|>
.text:00729C58	0000002C	C (16 bits)	<|STAT|>Erro N Enc<|>
.text:00729C90	00000030	C (16 bits)	<|STAT|>Erro Apagado<|>
.text:0072A540	0000001C	C (16 bits)	<|PRINCIPAL|>
.text:0072B868	0000001E	C (16 bits)	<|SocketMain|>
.text:0072B8A8	0000000E	C (16 bits)	<|OK|>
.text:0072B928	00000012	C (16 bits)	<|Info|>
.text:0072B96C	00000012	C (16 bits)	<|PING|>
.text:0072B98C	00000012	C (16 bits)	<|PONG|>
.text:0072B9AC	00000014	C (16 bits)	<|Close|>
.text:0072B9EC	00000018	C (16 bits)	<|NOSenha|>
.text:0072BA3C	00000028	C (16 bits)	<|REQUESTKEYBOARD|>
.text:0072BA70	00000012	C (16 bits)	<|WCMD|>
.text:0072BA90	00000014	C (16 bits)	<|first|>
.text:0072BAB0	0000001A	C (16 bits)	<|MousePos|>
.text:0072BAD8	00000018	C (16 bits)	<|MouseLD|>
.text:0072BAFC	00000018	C (16 bits)	<|MouseLY|>
.text:0072BB20	00000018	C (16 bits)	<|MouseLX|>
.text:0072BB44	00000018	C (16 bits)	<|MouseDC|>
.text:0072BB68	00000018	C (16 bits)	<|MouseLU|>
.text:0072BB8C	00000018	C (16 bits)	<|MouseRD|>
.text:0072BBB0	00000018	C (16 bits)	<|MouseRU|>
.text:0072BBD4	00000018	C (16 bits)	<|MouseWH|>

 

As observed, URSA DLL is determined by a lot of capabilities:

 

 

C2 details and victim’s data

The victim’s data is sent to C2 during the malware execution. During our analysis, it was possible to obtain information on the number of victims affected during the 2021 and 2022 campaigns.

Figure 38: Some affected users and AV engines bypassed by URSA (Portuguese campaign – September 2022).

 

Interesting that this malware evades AV detection. We can see in Figure 38 that many machines were running popular antivirus and were infected by this threat. On the other side, all the victim’s data is stored in TXT files on the C2 server. The file starts with the id language (Portugal – 2070), followed by the computer name, trojan compilation ID, and finally, the victim ID present on the C2 database.

Figure 39: Details about victims infected by URSA trojan in September 2022 in Portugal.

 

Figure 40: Victims’ details present on the C2 server online (left-side: Portugal, middle: Mexico, right-side: Spain).

 

In detail, the files are encrypted and have the secrets collected from the infected machines, including passwords from popular software and web browsers. We believe the group behind these kinds of trojans should sell the accesses later to other threat groups.

In addition, we found a BTC address inside the URSA DLL with two transactions.  It has received a total of 0.57965786 BTC ($12,581.63) and has sent a total of 0.57965786 BTC ($12,581.63).

Figure 41: BTC address found during the URSA trojan analysis.

 

 

Final Thoughts

URSA is a potent piece of malware, whose primary capability is the theft of banking information and other personal information from the user machine and sending it to the C2 server. This trojan takes advantage of complex loaders (in number and sophistication), and thus bypasses AV and EDR detection.

As common on Latin American trojans, the usage of LOL BINS such as WMI and Certutil as well as legitimate loaders (AutoIT) allows circumventing security defenses and easily injecting malicious code into the memory without touching on disk, at least, with the binary in a plain-text form.

From URSA’s analysis, we can conclude that Latin American operators are sharing code between different trojans such as Lampion, Javali, Grandoreiro, and so on.

This trojan is a dangerous weapon, with the capabilities to self-update itself, capture keystrokes and mouse movements, take screenshots, block access to several Windows-based applications, get secrets and passwords from banking and financial portals, execute additional payloads, and initiate the windows overlay process when a legitimate portal is accessed.

Latin American trojans are on the rise with multiple variants targeting banking organizations. These variants come with different peculiarities, with the goal of hiding their presence and bypassing detection. Thus, organizations are recommended to make use of provided IOCs for better detection of URSA or similar threats.

Let’s take malware protection seriously!

 

Mitre Att&ck Matrix

 

Indicators of Compromise (IOCs)

===========FILES================
FATURA_208538.PDF.html | 3a69914e18119a42695a3dde89ea4221
https://www.virustotal.com/gui/file-analysis/M2E2OTkxNGUxODExOWE0MjY5NWEzZGRlODllYTQyMjE6MTY2MzE2MTE1NA==

FATURA_GALP_912218.rar | a5c87471e8d438cd40b137b2c0aa276e
https://www.virustotal.com/gui/file-analysis/YTVjODc0NzFlOGQ0MzhjZDQwYjEzN2IyYzBhYTI3NmU6MTY2MzE2MTI0Mw==


FATURA www.galp.pt.bat | 95a6bc8457f5852a40c09dbdda2b5ae3
https://www.virustotal.com/gui/file-analysis/OTVhNmJjODQ1N2Y1ODUyYTQwYzA5ZGJkZGEyYjVhZTM6MTY2MzE2MTI4OQ==


TTTTT%RRRRR%_.exe | c56b5f0201a3b3de53e561fe76912bfd
https://www.virustotal.com/gui/file/237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d


TTTTT%RRRRR%_.a3x / FATURA www.galp.pt.a3x | 6272b71def704494d7be276df39746ac
https://www.virustotal.com/gui/file/2745605626d3e93eb9d86adf9cf462321098f6c27d445474f7293357c441d351?nocache=1


df6uiv.vbs | f32960c4e67e604a985bcfae9308af8a
https://www.virustotal.com/gui/file-analysis/ZjMyOTYwYzRlNjdlNjA0YTk4NWJjZmFlOTMwOGFmOGE6MTY2MzE2MTU5OA==

g2 | d3f3e27cd085d1a7ec7b8059e775ba89
https://www.virustotal.com/gui/file-analysis/ZDNmM2UyN2NkMDg1ZDFhN2VjN2I4MDU5ZTc3NWJhODk6MTY2MzE2MTc1Ng==

v221.22v / to71.7ot (URSA encrypred DLL) | 8069e5d8e22b51f3360cca1582c1f3b7
https://www.virustotal.com/gui/file-analysis/ODA2OWU1ZDhlMjJiNTFmMzM2MGNjYTE1ODJjMWYzYjc6MTY2MzE2MTgyOQ==

v22 / to7 | 782f9bed19336830a6bacdc6c0cf07ec
https://www.virustotal.com/gui/file-analysis/NzgyZjliZWQxOTMzNjgzMGE2YmFjZGM2YzBjZjA3ZWM6MTY2MzE2MTg1MA==

v22ai.exe / to7ai.exe | c56b5f0201a3b3de53e561fe76912bfd
https://www.virustotal.com/gui/file/237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

hardcoded_loader.dll | 75aa0635014fddb64536da38c21ee93a
https://www.virustotal.com/gui/file/d7588b38b2534e8683f70b90aab477c187bd1659b92bb45170b0d2b8cfc31807

to7ai.exe.bin  - URSA dumped - cleaned (DLL) | f39b28222e24ba18d8c26e03be3bc857
https://www.virustotal.com/gui/file-analysis/ZjM5YjI4MjIyZTI0YmExOGQ4YzI2ZTAzYmUzYmM4NTc6MTY2MzE2MjAzNA==

libeay32.dll | 284e004b654306f8db1a63cff0e73d91
ssleay32.dll | de484d5dafe3c1208da6e24af40e0a97

======C2 && URLs=============
http://168.100.9.172
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26847

http://206.188.196.166/
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26846

http://mqgpw2.servepics.com/
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26725

http://mxgpw1.serveirc.com/
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26724

http://dreamixcorporation.com/
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26670

https://documents.drive.dreamixcorporation.com/do/it.php
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26669

http://198.54.117.198/
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26668

https://stunningsolutions.in/js/fatura/?f71eda6de70d5cd8464e0ab7905eced9f71eda6de70d5cd8464e0ab7905eced9
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26667

https://dom32.store
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26666

https://dom32.store/z/?YPehBDYYYVe0xkiwaK4G84tilx6TkXysr3ocTtzAYPehBDYYYVe0xkiwaK4G84tilx6TkXysr3ocTtzA
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26665

http://highlineadsl.com
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26664

http://highlineadsl.com/ddd/it.php?b2
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26663

http://m4gx01.hopto.org/
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26662

https://m4gx01.hopto.org/
https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26661

 

 

Yara rule

This Yara rule can also be downloaded from the GitHub repository here.

import "pe"
import "hash"

rule URSA_trojan_VBS_loader_2022 {
meta:
    description = "Yara rule for URSA trojan VBS (loader) - September 2022 version"
    author = "SI-LAB - https://seguranca-informatica.pt"
    last_updated = "2022-09-14"
    tlp = "white"
    category = "informational"
    
    strings:
    $s_a = {6d 34 67 78 30 31}
    $s_b = {6d 73 67 42 6f 78}
    condition:
        filesize < 10KB
        and all of ($s_*)
}
rule URSA_VBS_AUTOIT_LOADER_2022 {
meta:
    description = "Yara rule for URSA trojan VBS loader AuToIT - September 2022 version"
    author = "SI-LAB - https://seguranca-informatica.pt"
    last_updated = "2022-09-14"
    tlp = "white"
    category = "informational"
    
    strings:
    $s_a = "Nova"
    $s_b = "_39"
    $s_c = "FCYFLFCFMF"
    $s_d = "FJCXCUCHCOCHEUFECWCHCOCHEUFECXCHCO"
    condition:
        filesize < 40KB
        and all of ($s_*)
}
rule URSA_AUTOIT_LOADER_2022 {
meta:
    description = "Yara rule for URSA trojan VBS loader AuToIT - September 2022 version"
    author = "SI-LAB - https://seguranca-informatica.pt"
    last_updated = "2022-09-14"
    tlp = "white"
    category = "informational"
    
    strings:
    $s_a = {41 75 74 6F 49 74}
    condition:
        filesize < 900KB and
        hash.md5(0, filesize) == "c56b5f0201a3b3de53e561fe76912bfd" 
        and all of ($s_*)
}
rule URSA_DLL_ENCRYPED_2022 {
meta:
    description = "Yara rule for URSA trojan VBS loader AuToIT - September 2022 version"
    author = "SI-LAB - https://seguranca-informatica.pt"
    last_updated = "2022-09-14"
    tlp = "white"
    category = "informational"
    
    strings:
    $s_a = {15 62 70 67 18 1B 1A 1B 1C 21 1E 24}
    $s_b = {32 33 34 35 36 37 38 2F 30 31 32 25 26 27 28 37 38 2F 30 31 32 33 34 35 36 37 38 2F 30 31 32 1B 1C 35 36}
    condition:
        filesize < 5000KB 
        and all of ($s_*)
}

rule URSA_DLL_ENCRYPED_2022 {
meta:
    description = "Yara rule for URSA trojan VBS loader AuToIT - September 2022 version"
    author = "SI-LAB - https://seguranca-informatica.pt"
    last_updated = "2022-09-14"
    tlp = "white"
    category = "informational"
    
    strings:
    $s_a = {15 62 70 67 18 1B 1A 1B 1C 21 1E 24}
    $s_b = {32 33 34 35 36 37 38 2F 30 31 32 25 26 27 28 37 38 2F 30 31 32 33 34 35 36 37 38 2F 30 31 32 1B 1C 35 36}
    condition:
        filesize < 5000KB 
        and all of ($s_*)
}

 

 

Exit mobile version